By making the Domain Admins a restricted group in Active Directory it will make sure that no accounts are added or removed from this group without configuring it in Group Policy. The reason for this is because I have a help desk person who likes to add people to these groups in order to trouble shoot problems and often forgets to remove them when completed. If I make the Domain Admins a restricted group then any modifications he makes will be overwritten every 90 minutes when Group Policy is re-applied. This will also aid in defending against any attacker who tries to add a user account to a privelaged group to gain access to network resources.